Numerous types of computing applications and protocols rely on the use of random data. For example, random (or, more accurately, pseudo-random) numbers may be used for generating cryptographic keys, certificates, or other cryptographic artifacts such as initialization vectors and nonces that are in turn used in large numbers of transactions carried out over public and/or private networks. Such cryptographic artifacts are the bases of the trust placed in security algorithms by millions of end users and service providers, and are fundamental for providing data confidentiality, authentication and integrity. The vast majority of Internet-based services, which may cumulatively result in billions of dollars of business revenue annually, rely on the use of random data to implement some of the core infrastructure technologies used for those services. Government agencies such as revenue collection services and/or research establishments also utilize security algorithms dependent upon random data for critical operations. Random numbers may also be used for a variety of other purposes, such as for generating unique identifiers, sequence numbers used in networking and other protocols, back-off delay intervals and the like. In some of these other use cases, the random numbers generated by a given source may be accessible by a number of different entities.
The extent to which the applications and systems using random numbers for security-related purposes are truly secure may depend upon the quality of the random numbers. For example, malicious attackers may be able to penetrate the security of a given system if the statistical quality of the random numbers being produced by a random number source of the system is poor (e.g., if there is a predictable correlation between different random numbers being produced by the source over time, and if it is possible to accumulate a sufficient quantity of output from the source to detect the correlation). The quality of the random numbers produced by a random number generator may in turn depend on the quality of its entropy sources (the physical phenomena, assumed to be intrinsically random, which are used to generate the bit sequences used for the random numbers). Unfortunately, random number consumers often have little direct control on the vulnerabilities of the random number generators being used. The problem of poor random number quality may be exacerbated in certain types of environments in which a limited number of random number generators and corresponding entropy sources are used for a variety of applications, some with more stringent security requirements than others.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.